GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias

Size: px

Start display at page:

Download "GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias"

Jerome Anthony Waters
5 years ago
Views:

1 GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias Diego F. Aranha Pierre-Alain Fouque Benoît Gerard Jean-Gabriel Kammerer Mehdi Tibouchi Jean-Christophe Zapalowicz NTT Secure Platform Laboratories Asiacrypt, / NTT Secure Platform Laboratories

2 Overview Apology: although we have power analysis in the title and this is a side-channel session, SCA is not our main focus. Twofold motivation: Break the 2-bit bias barrier of HNP lattice attacks on (EC)DSA Consider how such attacks apply to elliptic curves with fast endomorphisms 2/ NTT Secure Platform Laboratories

3 Overview Apology: although we have power analysis in the title and this is a side-channel session, SCA is not our main focus. Twofold motivation: Break the 2-bit bias barrier of HNP lattice attacks on (EC)DSA Consider how such attacks apply to elliptic curves with fast endomorphisms 2/ NTT Secure Platform Laboratories

4 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 3/ NTT Secure Platform Laboratories

5 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 4/ NTT Secure Platform Laboratories

6 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 5/ NTT Secure Platform Laboratories

7 ECDSA Most commonly used elliptic curve-based signature scheme Slightly contrived variant of Schnorr signatures (all results in this talk also apply to actual Schnorr and similar schemes) Description Public params: elliptic curve E/Fq, point P generating a subgroup of large known prime order n Key pair: private key x random in Z/nZ, public key Q = [x]p Signature on m: pair (r, s) computed as k $ Ð (Z/nZ) (u, v) Ð [k]p r Ð u mod n s Ð k 1 (H(m) + rx) mod n Randomness k usually called the nonce; indeed, it must not be reused, otherwise: x = (sh 1 s 1 h)/(s 1 r sr 1 ) mod n but a bit of a misnomer, because non-repetition is not enough. 6/ NTT Secure Platform Laboratories

8 ECDSA Most commonly used elliptic curve-based signature scheme Slightly contrived variant of Schnorr signatures (all results in this talk also apply to actual Schnorr and similar schemes) Description Public params: elliptic curve E/Fq, point P generating a subgroup of large known prime order n Key pair: private key x random in Z/nZ, public key Q = [x]p Signature on m: pair (r, s) computed as k $ Ð (Z/nZ) (u, v) Ð [k]p r Ð u mod n s Ð k 1 (H(m) + rx) mod n Randomness k usually called the nonce; indeed, it must not be reused, otherwise: x = (sh 1 s 1 h)/(s 1 r sr 1 ) mod n but a bit of a misnomer, because non-repetition is not enough. 6/ NTT Secure Platform Laboratories

9 ECDSA Most commonly used elliptic curve-based signature scheme Slightly contrived variant of Schnorr signatures (all results in this talk also apply to actual Schnorr and similar schemes) Description Public params: elliptic curve E/Fq, point P generating a subgroup of large known prime order n Key pair: private key x random in Z/nZ, public key Q = [x]p Signature on m: pair (r, s) computed as k $ Ð (Z/nZ) (u, v) Ð [k]p r Ð u mod n s Ð k 1 (H(m) + rx) mod n Randomness k usually called the nonce; indeed, it must not be reused, otherwise: x = (sh 1 s 1 h)/(s 1 r sr 1 ) mod n but a bit of a misnomer, because non-repetition is not enough. 6/ NTT Secure Platform Laboratories

10 ECDSA Most commonly used elliptic curve-based signature scheme Slightly contrived variant of Schnorr signatures (all results in this talk also apply to actual Schnorr and similar schemes) Description Public params: elliptic curve E/Fq, point P generating a subgroup of large known prime order n Key pair: private key x random in Z/nZ, public key Q = [x]p Signature on m: pair (r, s) computed as k $ Ð (Z/nZ) (u, v) Ð [k]p r Ð u mod n s Ð k 1 (H(m) + rx) mod n Randomness k usually called the nonce; indeed, it must not be reused, otherwise: x = (sh 1 s 1 h)/(s 1 r sr 1 ) mod n but a bit of a misnomer, because non-repetition is not enough. 6/ NTT Secure Platform Laboratories

11 The risk of leaky nonces Rewrite the relation satisfied by ECDSA signatures as: k = H(m)s 1 looomooon h + rs 1 lomon x mod n We know pairs (h, c) such that h + cx = k mod n. If we know something about k (such as its MSBs), it should translate to information about the private key x! Essentially the hidden number problem. Main attack due to Howgrave-Graham & Smart using lattice reduction (reduces HNP to CVP in a suitable lattice) carried out for 2-bit leaks on 160-bit curves (Liu Nguyen 2013) currently out of reach for for 2-bit leaks on 256-bit curves currently out of reach for for 3-bit leaks on 384-bit curves hard limit: impossible for 1-bit leaks (the hidden vector in the lattice is not short enough to recover, even with a CVP oracle) c 7/ NTT Secure Platform Laboratories

12 The risk of leaky nonces Rewrite the relation satisfied by ECDSA signatures as: k = H(m)s 1 looomooon h + rs 1 lomon x mod n We know pairs (h, c) such that h + cx = k mod n. If we know something about k (such as its MSBs), it should translate to information about the private key x! Essentially the hidden number problem. Main attack due to Howgrave-Graham & Smart using lattice reduction (reduces HNP to CVP in a suitable lattice) carried out for 2-bit leaks on 160-bit curves (Liu Nguyen 2013) currently out of reach for for 2-bit leaks on 256-bit curves currently out of reach for for 3-bit leaks on 384-bit curves hard limit: impossible for 1-bit leaks (the hidden vector in the lattice is not short enough to recover, even with a CVP oracle) c 7/ NTT Secure Platform Laboratories

13 The risk of leaky nonces Rewrite the relation satisfied by ECDSA signatures as: k = H(m)s 1 looomooon h + rs 1 lomon x mod n We know pairs (h, c) such that h + cx = k mod n. If we know something about k (such as its MSBs), it should translate to information about the private key x! Essentially the hidden number problem. Main attack due to Howgrave-Graham & Smart using lattice reduction (reduces HNP to CVP in a suitable lattice) carried out for 2-bit leaks on 160-bit curves (Liu Nguyen 2013) currently out of reach for for 2-bit leaks on 256-bit curves currently out of reach for for 3-bit leaks on 384-bit curves hard limit: impossible for 1-bit leaks (the hidden vector in the lattice is not short enough to recover, even with a CVP oracle) c 7/ NTT Secure Platform Laboratories

14 Bleichenbacher s attack Before even the lattice attack was proposed, Bleichenbacher suggested a different approach to HNP (in the context of DSA), based on a Fourier notion of bias Requires many more signatures than the lattice attack for the same parameters, but applies in principle to arbitrarily small biases Presented at an IEEE P1363 meeting in 2000, but never formally published. Reintroduced in a paper by De Mulder et al. at CHES / NTT Secure Platform Laboratories

15 Bleichenbacher s attack Before even the lattice attack was proposed, Bleichenbacher suggested a different approach to HNP (in the context of DSA), based on a Fourier notion of bias Requires many more signatures than the lattice attack for the same parameters, but applies in principle to arbitrarily small biases Presented at an IEEE P1363 meeting in 2000, but never formally published. Reintroduced in a paper by De Mulder et al. at CHES / NTT Secure Platform Laboratories

16 Bleichenbacher s attack Before even the lattice attack was proposed, Bleichenbacher suggested a different approach to HNP (in the context of DSA), based on a Fourier notion of bias Requires many more signatures than the lattice attack for the same parameters, but applies in principle to arbitrarily small biases Presented at an IEEE P1363 meeting in 2000, but never formally published. Reintroduced in a paper by De Mulder et al. at CHES / NTT Secure Platform Laboratories

17 Overview of Bleicherbacher s technique The HNP problem reduces to the following: we are given samples (h j, c j ) such that, for the hidden secret x, the MSBs of the values k j = h j + c j x vanish. The sampled bias of a set of points V = (v 0,, v L 1 ) in Z/nZ defined as B n (V) = 1 L ř L 1 j=0 e2πi v j/n Given the (h j, c j ), consider the vector V = (v j ) given by v j = h j + c j w for some w P Z/nZ. One can check that: if w x, Bn (V) «1/? L is negligible if w = x, B n (V) is close to 1 hence a distinguisher, but not useable because n choices for w Bleichenbacher idea: broaden the peak in bias by reducing the c j s. 9/ NTT Secure Platform Laboratories

18 Overview of Bleicherbacher s technique The HNP problem reduces to the following: we are given samples (h j, c j ) such that, for the hidden secret x, the MSBs of the values k j = h j + c j x vanish. The sampled bias of a set of points V = (v 0,, v L 1 ) in Z/nZ defined as B n (V) = 1 L ř L 1 j=0 e2πi v j/n Given the (h j, c j ), consider the vector V = (v j ) given by v j = h j + c j w for some w P Z/nZ. One can check that: if w x, Bn (V) «1/? L is negligible if w = x, B n (V) is close to 1 hence a distinguisher, but not useable because n choices for w Bleichenbacher idea: broaden the peak in bias by reducing the c j s. 9/ NTT Secure Platform Laboratories

19 Overview of Bleicherbacher s technique The HNP problem reduces to the following: we are given samples (h j, c j ) such that, for the hidden secret x, the MSBs of the values k j = h j + c j x vanish. The sampled bias of a set of points V = (v 0,, v L 1 ) in Z/nZ defined as B n (V) = 1 L ř L 1 j=0 e2πi v j/n Given the (h j, c j ), consider the vector V = (v j ) given by v j = h j + c j w for some w P Z/nZ. One can check that: if w x, Bn (V) «1/? L is negligible if w = x, B n (V) is close to 1 hence a distinguisher, but not useable because n choices for w Bleichenbacher idea: broaden the peak in bias by reducing the c j s. B n (V) 9/ NTT Secure Platform Laboratories 1? L x w

20 Overview of Bleicherbacher s technique The HNP problem reduces to the following: we are given samples (h j, c j ) such that, for the hidden secret x, the MSBs of the values k j = h j + c j x vanish. The sampled bias of a set of points V = (v 0,, v L 1 ) in Z/nZ defined as B n (V) = 1 L ř L 1 j=0 e2πi v j/n Given the (h j, c j ), consider the vector V = (v j ) given by v j = h j + c j w for some w P Z/nZ. One can check that: if w x, Bn (V) «1/? L is negligible if w = x, B n (V) is close to 1 hence a distinguisher, but not useable because n choices for w Bleichenbacher idea: broaden the peak in bias by reducing the c j s. B n (V) 1? L B n (V) x 9/ NTT Secure Platform Laboratories 1? L x w w

21 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 10/ NTT Secure Platform Laboratories

22 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories

23 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories

24 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories

25 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories

26 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories

27 Implementing Bleichenbacher s algorithm (II) Rest of the algorithm (as in De Mulder et al.): Once the cj s are short enough, carry out an FFT computation to find the peak Rank the candidate peaks to reveal the MSBs of x, and iterate the attack to find the remaining bits Main difficulties: Every reduction step squares the bias The correct guess of x not always the highest ranked On 1-bit bias, non-trivial engineering project: very costly in data, memory and CPU 12/ NTT Secure Platform Laboratories

28 Implementing Bleichenbacher s algorithm (II) Rest of the algorithm (as in De Mulder et al.): Once the cj s are short enough, carry out an FFT computation to find the peak Rank the candidate peaks to reveal the MSBs of x, and iterate the attack to find the remaining bits Main difficulties: Every reduction step squares the bias The correct guess of x not always the highest ranked On 1-bit bias, non-trivial engineering project: very costly in data, memory and CPU 12/ NTT Secure Platform Laboratories

29 Implementation results b B n (K) α Fraction of c j s reduced by l β bits in a list of 2 l β = 2 β = 1 β = 0 β = 1 β = 2 1st iteration nd iteration rd iteration th iteration th iteration / NTT Secure Platform Laboratories

30 Implementation results b B n (K) α Fraction of c j s reduced by l β bits in a list of 2 l β = 2 β = 1 β = 0 β = 1 β = 2 1st iteration nd iteration rd iteration th iteration th iteration Successfully implemented: SECG P160 R1 curve (C++, RELIC, FFTW) 2 33 signatures 4 sort-and-difference (remove 4 ˆ 32 bits) 52.5% reduced signatures final bias FFT on 32 bits 30 MSB retrieved 1 terabyte 1150 CPU-hours 13/ NTT Secure Platform Laboratories

31 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 14/ NTT Secure Platform Laboratories

32 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 15/ NTT Secure Platform Laboratories

33 Curves with fast endomorphisms The most costly operation in conventional elliptic curve crypto is elliptic curve scalar multiplication; e.g. in ECDSA signature generation, the computation [k]p Special curves can be used to increase the efficiency of such schemes: curves endowed with some fast endomorphism ψ This technique is used in almost all recent record-breaking implementations of ECC Example special curves: (Koblitz curves over binary fields) Gallant Lambert Vanstone (GLV) curves over prime fields Galbraith Lin Scott (GLS) curves over quadratic extensions more recent work (Ben Smith s Q-curves ) 16/ NTT Secure Platform Laboratories

34 Curves with fast endomorphisms The most costly operation in conventional elliptic curve crypto is elliptic curve scalar multiplication; e.g. in ECDSA signature generation, the computation [k]p Special curves can be used to increase the efficiency of such schemes: curves endowed with some fast endomorphism ψ on a prime order subgroup, ψ is the multiplication by some explicit (usually full size) constant λ to carry out scalar multiplication by k, write k = k1 + k 2 λ (k 1, k 2 of half size); then [k]p = [k 1 ]P + [k 2 ]ψ(p) double exponentiation: «1.7-fold speed-up This technique is used in almost all recent record-breaking implementations of ECC Example special curves: (Koblitz curves over binary fields) Gallant Lambert Vanstone (GLV) curves over prime fields Galbraith Lin Scott (GLS) curves over quadratic extensions more recent work (Ben Smith s Q-curves ) 16/ NTT Secure Platform Laboratories

35 Curves with fast endomorphisms The most costly operation in conventional elliptic curve crypto is elliptic curve scalar multiplication; e.g. in ECDSA signature generation, the computation [k]p Special curves can be used to increase the efficiency of such schemes: curves endowed with some fast endomorphism ψ This technique is used in almost all recent record-breaking implementations of ECC Example special curves: (Koblitz curves over binary fields) Gallant Lambert Vanstone (GLV) curves over prime fields Galbraith Lin Scott (GLS) curves over quadratic extensions more recent work (Ben Smith s Q-curves ) 16/ NTT Secure Platform Laboratories

36 Curves with fast endomorphisms The most costly operation in conventional elliptic curve crypto is elliptic curve scalar multiplication; e.g. in ECDSA signature generation, the computation [k]p Special curves can be used to increase the efficiency of such schemes: curves endowed with some fast endomorphism ψ This technique is used in almost all recent record-breaking implementations of ECC Example special curves: (Koblitz curves over binary fields) Gallant Lambert Vanstone (GLV) curves over prime fields Galbraith Lin Scott (GLS) curves over quadratic extensions more recent work (Ben Smith s Q-curves ) 16/ NTT Secure Platform Laboratories

37 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories

38 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories

39 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories

40 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories

41 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories

42 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 18/ NTT Secure Platform Laboratories

43 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories

44 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories

45 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories

46 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories

47 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories

48 Security of the careful way When k 1, k 2 are chosen uniformly at random in [0,? n), k = k 1 + k 2 λ is statistically close to uniform in Z/nZ, hence security! Proof idea: show that (k 1, k 2 ) ÞÑ k 1 + k 2 λ induces an injective map [0, p 1) 2 Ñ Z/nZ if (x, y) (x 1, y 1 ) have the same image, the fact that λ 2 = 1 mod n yields (x x 1 ) 2 + (y y 1 ) 2 = n but n, as a prime, has only one representation as a sum of two squares: n = (p 1) 2 + t 2 therefore, x x 1 or y y 1 must be p 1, which is impossible. Good for quadratic GLS. Unfortunately, the proof doesn t immediately generalize to other curves with endomorphisms (e.g. GLV with D = 3?) 20/ NTT Secure Platform Laboratories

49 Security of the careful way When k 1, k 2 are chosen uniformly at random in [0,? n), k = k 1 + k 2 λ is statistically close to uniform in Z/nZ, hence security! Proof idea: show that (k 1, k 2 ) ÞÑ k 1 + k 2 λ induces an injective map [0, p 1) 2 Ñ Z/nZ if (x, y) (x 1, y 1 ) have the same image, the fact that λ 2 = 1 mod n yields (x x 1 ) 2 + (y y 1 ) 2 = n but n, as a prime, has only one representation as a sum of two squares: n = (p 1) 2 + t 2 therefore, x x 1 or y y 1 must be p 1, which is impossible. Good for quadratic GLS. Unfortunately, the proof doesn t immediately generalize to other curves with endomorphisms (e.g. GLV with D = 3?) 20/ NTT Secure Platform Laboratories

50 Security of the careful way When k 1, k 2 are chosen uniformly at random in [0,? n), k = k 1 + k 2 λ is statistically close to uniform in Z/nZ, hence security! Proof idea: show that (k 1, k 2 ) ÞÑ k 1 + k 2 λ induces an injective map [0, p 1) 2 Ñ Z/nZ if (x, y) (x 1, y 1 ) have the same image, the fact that λ 2 = 1 mod n yields (x x 1 ) 2 + (y y 1 ) 2 = n but n, as a prime, has only one representation as a sum of two squares: n = (p 1) 2 + t 2 therefore, x x 1 or y y 1 must be p 1, which is impossible. Good for quadratic GLS. Unfortunately, the proof doesn t immediately generalize to other curves with endomorphisms (e.g. GLV with D = 3?) 20/ NTT Secure Platform Laboratories

51 Insecurity of the careless way Suppose now that k 1, k 2 are chosen uniformly in [0, T), with T = 2 t 1 2 log 2 nu. Bleichenbacher does not apply directly, because the bias on k = k 1 + k 2 λ is small: B n (K) = B n (K 1 ) B n (λk 2 ) = 1 ˇ ˇsin(πT/n) ˇ 1 ˇ ˇsin(πλT/n) ˇ looooooomooooooon T sin(π/n) loooooooomoooooooon T sin(πλ/n) «1 But the bias on t k mod n is significant: negligible B n (tk) = B n (tk 1 ) B n ( (p 1)K2 ) «ˇˇˇsin(π(p 1)T/n) π(p 1)T/n 0.5 ă (p 1)T/n ă 1 if (p 1)T/n «0.5 (i.e n «power of 2): maximal bias ñ B n (tk) = 2/π «0.637 ˇ 21/ NTT Secure Platform Laboratories

52 Insecurity of the careless way Suppose now that k 1, k 2 are chosen uniformly in [0, T), with T = 2 t 1 2 log 2 nu. Bleichenbacher does not apply directly, because the bias on k = k 1 + k 2 λ is small: B n (K) = B n (K 1 ) B n (λk 2 ) = 1 ˇ ˇsin(πT/n) ˇ 1 ˇ ˇsin(πλT/n) ˇ looooooomooooooon T sin(π/n) loooooooomoooooooon T sin(πλ/n) «1 But the bias on t k mod n is significant: negligible B n (tk) = B n (tk 1 ) B n ( (p 1)K2 ) «ˇˇˇsin(π(p 1)T/n) π(p 1)T/n 0.5 ă (p 1)T/n ă 1 if (p 1)T/n «0.5 (i.e n «power of 2): maximal bias ñ B n (tk) = 2/π «0.637 ˇ 21/ NTT Secure Platform Laboratories

53 Insecurity of the careless way Suppose now that k 1, k 2 are chosen uniformly in [0, T), with T = 2 t 1 2 log 2 nu. Bleichenbacher does not apply directly, because the bias on k = k 1 + k 2 λ is small: B n (K) = B n (K 1 ) B n (λk 2 ) = 1 ˇ ˇsin(πT/n) ˇ 1 ˇ ˇsin(πλT/n) ˇ looooooomooooooon T sin(π/n) loooooooomoooooooon T sin(πλ/n) «1 But the bias on t k mod n is significant: negligible B n (tk) = B n (tk 1 ) B n ( (p 1)K2 ) «ˇˇˇsin(π(p 1)T/n) π(p 1)T/n 0.5 ă (p 1)T/n ă 1 if (p 1)T/n «0.5 (i.e n «power of 2): maximal bias ñ B n (tk) = 2/π «0.637 ˇ 21/ NTT Secure Platform Laboratories

54 Insecurity of the careless way Suppose now that k 1, k 2 are chosen uniformly in [0, T), with T = 2 t 1 2 log 2 nu. Bleichenbacher does not apply directly, because the bias on k = k 1 + k 2 λ is small: B n (K) = B n (K 1 ) B n (λk 2 ) = 1 ˇ ˇsin(πT/n) ˇ 1 ˇ ˇsin(πλT/n) ˇ looooooomooooooon T sin(π/n) loooooooomoooooooon T sin(πλ/n) «1 But the bias on t k mod n is significant: negligible B n (tk) = B n (tk 1 ) B n ( (p 1)K2 ) «ˇˇˇsin(π(p 1)T/n) π(p 1)T/n 0.5 ă (p 1)T/n ă 1 if (p 1)T/n «0.5 (i.e n «power of 2): maximal bias ñ B n (tk) = 2/π «0.637 ˇ 21/ NTT Secure Platform Laboratories

55 Concrete attack on the careless way We successfully applied this variant of Bleichenbacher on a 160-bit GLS curve E 0 : y 2 = x 3 3x/ minimal choice over the OPF field F p, p = E : y 2 = x 3 3x + 104?23 3 over F p 2 = F p (? 23) Timings and resource consumption similar to the SECG curve case, except for signature generation itself. 22/ NTT Secure Platform Laboratories

56 Concrete attack on the careless way We successfully applied this variant of Bleichenbacher on a 160-bit GLS curve E 0 : y 2 = x 3 3x/ minimal choice over the OPF field F p, p = E : y 2 = x 3 3x + 104?23 3 over F p 2 = F p (? 23) Timings and resource consumption similar to the SECG curve case, except for signature generation itself. 22/ NTT Secure Platform Laboratories

57 Concrete attack on the careless way We successfully applied this variant of Bleichenbacher on a 160-bit GLS curve E 0 : y 2 = x 3 3x/ minimal choice over the OPF field F p, p = E : y 2 = x 3 3x + 104?23 3 over F p 2 = F p (? 23) Timings and resource consumption similar to the SECG curve case, except for signature generation itself. 22/ NTT Secure Platform Laboratories

58 Concrete attack on the careless way We successfully applied this variant of Bleichenbacher on a 160-bit GLS curve E 0 : y 2 = x 3 3x/ minimal choice over the OPF field F p, p = E : y 2 = x 3 3x + 104?23 3 over F p 2 = F p (? 23) Timings and resource consumption similar to the SECG curve case, except for signature generation itself. 22/ NTT Secure Platform Laboratories

59 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 23/ NTT Secure Platform Laboratories

60 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories

61 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories

62 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories

63 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories

64 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories

65 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 25/ NTT Secure Platform Laboratories

66 Conclusion Record of the smallest amount of nonce bias needed to break ECDSA 1-bit bias on 160-bit elliptic curves! impossible with lattices, but doable with Bleichenbacher significant computational effort, but a resourceful attacker could go much further (256-bit curves?) One should be careful about GLV/GLS decomposition GLV/GLS curves are not safe against nonce attacks When properly carried out, the recomposition technique can be secure When using decomposition, pay attention to side-channels 26/ NTT Secure Platform Laboratories

67 Conclusion Record of the smallest amount of nonce bias needed to break ECDSA 1-bit bias on 160-bit elliptic curves! impossible with lattices, but doable with Bleichenbacher significant computational effort, but a resourceful attacker could go much further (256-bit curves?) One should be careful about GLV/GLS decomposition GLV/GLS curves are not safe against nonce attacks When properly carried out, the recomposition technique can be secure When using decomposition, pay attention to side-channels 26/ NTT Secure Platform Laboratories

68 謝謝! Thank you for your attention 27/ NTT Secure Platform Laboratories

GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures with Single-Bit Nonce Bias

GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures with Single-Bit Nonce Bias Diego F. Aranha 1, Pierre-Alain Fouque 2,Benoît Gérard 3,4, Jean-Gabriel Kammerer 3,5, Mehdi Tibouchi 6,